<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi Otto.<br>
<br>
Thank you for your response and the info given therein.<br>
<br>
On 2015-04-03 20:03 , Otto Kekäläinen wrote:<br>
</div>
<blockquote
cite="mid:CAHj_TLDj+ETu7-5yEMC=UW_ofPRqQQnDUANpe=aoktruRJsLgQ@mail.gmail.com"
type="cite">
<pre wrap="">In Debian we used to apply the hardening-wrapper package/tool in
mysql-5.5 and mariadb-5.5 packages until if was deprecated in the
Debian policy. In mysql-5.6 and mariadb-10.0 we are using the new
compiler flags based hardening. See e.g. the rules file
<a class="moz-txt-link-freetext" href="https://github.com/ottok/mariadb-10.0/blob/master/debian/rules">https://github.com/ottok/mariadb-10.0/blob/master/debian/rules</a></pre>
</blockquote>
To be honest I didn't even think about that kind of (build)
hardening, but of course it is a benefit to "defend" against
potential attacks.<br>
<br>
What I was thinking about -- and sorry for not being more specific
-- is "config hardening" in a way that "dangerous" features might be
disabled by default (e. g. might only listen on Unix domain socket
and not TCP socket by default, or <i>if</i> TCP socket is active by
default the daemon might only bind to the loopback interface), rate
limiting and other usage restrictions (ulimit?) might be enabled for
the pre-defined MySQL database users or the MySQL system user to
prevent DoS attacks, etc.<br>
<br>
So basically config changes which can serve to increase security,
compared to the "stock" MySQL config that comes from upstream.<br>
<br>
I assume that you can't (and probably don't even want to) make any
statements re. the "stock" config, so I will search on the upstream
MySQL site as well.<br>
<blockquote
cite="mid:CAHj_TLDj+ETu7-5yEMC=UW_ofPRqQQnDUANpe=aoktruRJsLgQ@mail.gmail.com"
type="cite">
<pre wrap="">If you are an expert in this area or even just somebody with basic
skills and have time to research it, I am sure everybody would be glad
to get contributions on how to improve the current situation.
</pre>
</blockquote>
I'm always a strong supporter of giving back to the community, but
unfortunately I'm currently not in the position to do so. On the
contrary I need support myself because I'm undergoing a security
assessment/audit and must "prove" that our systems are secure. ;-)<br>
<br>
Kind regards,<br>
<br>
Ralf<br>
<br>
</body>
</html>